Cloudfront从其他位置返回403

编程问答 2022-06-11

问题描述

我有一个S3存储桶,托管对象,我的用户可以通过我的应用程序下载这些对象。我正在将Cloudfront用于带有签名URL的CDN。在美国,一切正常,但是当我在另一个国家(印度)的用户尝试下载相同的对象时,他们得到一个错误提示 The Remote Server returned an error : (403) Forbidden

我确认我没有在CloudFront发行版中设置任何地理限制

enter image description here

在CloudFront中配置的我的原始名称和域路径的格式为xyz-final-bucket.s3.us-west-2.amazonaws.com

下面是为CloudFront生成Signed-URL的代码

    Public Shared Function CreateCannedSignedURL(ByVal urlString As String,ByVal durationUnits As String,ByVal durationNumber As String,ByVal CannedPolicy As String,ByVal privateKey As String,ByVal privateKeyId As String) As String
        Dim timeSpanInterval As TimeSpan = GetDuration(durationUnits,durationNumber)
        Dim strPolicy As String = CreatePolicyStatement(CannedPolicy,urlString,DateTime.Now,DateTime.Now.Add(timeSpanInterval),"0.0.0.0/0")
        If "Error!" = strPolicy Then Return "Invalid time frame.  Start time cannot be greater than end time."
        Dim strExpiration As String = copyExpirationTimeFromPolicy(strPolicy)
        Dim bufferPolicy As Byte() = Encoding.ASCII.GetBytes(strPolicy)

        Using cryptoSHA1 As SHA1CryptoServiceProvider = New SHA1CryptoServiceProvider()
            bufferPolicy = cryptoSHA1.ComputeHash(bufferPolicy)
            Dim providerRSA As RSACryptoServiceProvider = New RSACryptoServiceProvider()
            Dim xmlPrivateKey As XmlDocument = New XmlDocument()

            Dim pemText As String

            pemText = privateKey

            Dim xmlContent = RsaKeyConverterHelper.PemToXml(pemText)
            xmlPrivateKey.LoadXml(xmlContent)
            providerRSA.FromXmlString(xmlPrivateKey.InnerXml)
            Dim rsaFormatter As RSAPKCS1SignatureFormatter = New RSAPKCS1SignatureFormatter(providerRSA)
            rsaFormatter.SetHashAlgorithm("SHA1")
            Dim signedPolicyHash As Byte() = rsaFormatter.CreateSignature(bufferPolicy)
            Dim strSignedPolicy As String = ToUrlSafeBase64String(signedPolicyHash)
            Dim downloadLink As String = urlString & "?Expires=" & strExpiration & "&Signature=" & strSignedPolicy & "&Key-Pair-Id=" & privateKeyId
            Return downloadLink
        End Using
    End Function

存储桶中的所有对象都存储在One-Zone IA中。我不确定这是否是原因,因为我也尝试过更改它的标准。

我的配置是否需要进行任何更改以启用从所有地理位置的下载?

解决方法

问题出在印度发起请求的机器。时间未与其时区同步。该客户端上设置的时间比实际时间晚了大约一个小时。因此,当生成到期时间戳记时,它总是在实际时间之后。在为客户确定时间后,问题得到解决。

amazon-cloudfrontamazon-web-servicessigned-url